The Finnish Data Protection Ombudsman published guidance on data protection and limiting the spread of COVID-19 on 12th March, followed by Q&A's relating to COVID-19 and data protection on the 23rd of March. At the European level, the European Data Protection Board ("EDPB") adopted a statement on 19th March on the processing of personal data in the context of the outbreak of COVID-19.
Both the EDPB and the Finnish DPA have stated that neither the GDPR nor the Finnish data protection laws stand in the way of the measures necessary in order to fight against COVID-19. However, the regulators stressed that it is still vital to protect the personal data of data subjects. As we currently live in exceptional circumstances, restrictions of freedoms might be justified, provided the restrictions are proportionate and limit only to the emergency at hand.
In this short advice note, we summarize the guidance and in particular address three specific points made by the authorities:
1. Legal basis for processing health data during an epidemic
Generally, processing of health data is under strict limitations. The GDPR is however sufficiently flexible to accommodate the needs of companies and public authorities. As for public authorities, Article 9(2)(i) GDPR in combination with the existing Finnish Acts provides a sufficient legal basis. Article 9(2)(i) covers the processing for reasons of public interest in the area of public health.
In employment context, processing of personal data can be necessary when it concerns health and safety to a legal obligation of the employer or the public interest. The processing of health data by the employer can be justified under Article 9(2)(b) GDPR, as the processing can be seen necessary in carrying out employer's legal obligations in the field of employment. For example, under the Occupational Safety and Health Act, employers are responsible for the safety and health of the employees. We however do not recommend relying on consent as a legal basis.
2. How to inform data subjects about the processing of personal data?
Transparency is the key during these exceptional circumstances, especially as it will help to motivate employees and other data subject to take voluntary action:
- Do not forget to tell data subjects about the retention periods and purposes for the processing of their personal data, for example stating: "processing is based on the legal obligation of the employer to protect the health of the staff by implementing measures that prevent COVID-19 from spreading."
- Document the measures that have been implemented to manage the emergency and the underlying decision-making relating to it.
In the case of visitors coming to a reception of a company, we recommend to set up signs informing about the process and the data collection.
3. What employers can and cannot do in relation to the health data of visitors/employees?
In Finland, employers may under certain circumstances ask visitors to provide health information in the context of COVID-19 under the legal obligation to protect the health of the employees. Regarding the processing of employee health data, each company needs to take a case by case decision, taking into account the sector and what type of work the concerned data subjects do. The guidance of the Finnish Data Protection Authority states that as a starting point, the information that a particular employee has been infected must not be shared. This is certainly one of the more controversial parts of the guidance of the Ombudsman. It is important to stress that the prohibition to tell other employees is not absolute. While not explained in the guidance of the Ombudsman, we believe that in exceptional circumstances, such data can be shared to protect others. For example, in nursing homes, asking more detailed information and sharing information with other employees on who is infected with COVID-19 , could be considered proportionate, as lives of members of the risk groups are at stake. In other sectors, employers can provide guidance to work from home when employees feel symptoms and ask for voluntary updates on employees' health status. Generally speaking, voluntary measures should be preferred.
Employers should not perform medical check-ups themselves on their employees. Those are reserved for health professionals. Employers should give instructions to employees to stay home when they experience symptoms and guide them to contact occupational health care.
At Bird & Bird we support our clients in times of crisis and in any questions that may arise during these exceptional circumstances. Don't hesitate to contact our Data Protection team.